Letsencrypt Renewals requesting constantly

11 posts / 0 new
Last post
#1 Wed, 04/12/2017 - 12:02
eznethost.com

Letsencrypt Renewals requesting constantly

All Virtual Servers on all VPS's I have Virtualmin installed on that have a letsencrypt certificate set to renew automatically are requesting new certificates thousands of times a day once they hit the set renewal time.

I set them to request renewal after 2 months, and every new Virtual Server is fine for the first 2 months then it requests renewal, updates then keeps requesting, every few minutes it try's again and fails. I get thousands of emails in the generic mail account for each virtual server every day saying the letsencrypt renewal failed.

I tried setting one of the failed ones to not renew and it still does it. It's killing the performance of the VPS's having to handle all the traffic to letsencrypt and email routing to advise of the failure.

All servers are running Centos 7 x64, Virtualmin 5.07 and I keep them up to date as any updates are required.

An error occurred requesting a new certificate for ***********.*** from Let's Encrypt : Failed to request certificate :

Parsing account key...
Parsing CSR...
Registering account...
Already registered!
Verifying *********.***...
*********.*** verified!
Signing certificate...
Traceback (most recent call last):
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 203, in 
    main(sys.argv[1:])
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 199, in main
    signed_crt = get_crt(args.account_key, args.csr, args.acme_dir, log=LOGGER, CA=args.ca)
  File "/usr/libexec/webmin/webmin/acme_tiny.py", line 166, in get_crt
    raise ValueError("Error signing certificate: {0} {1}".format(code, result))
ValueError: Error signing certificate: 429 {
  "type": "urn:acme:error:rateLimited",
  "detail": "Error creating new cert :: Too many certificates already issued for exact set of domains: *********>***",
  "status": 429
}
Thu, 04/13/2017 - 16:45
volk

This is probably a bug.

Even if they are correctly renewing. Lets Encrypt has a rate limit per week, so no VPS should be doing all at the same time because not only it will not work but Lets Encrypt will block the server from future renewals if you are hitting the limits.

It probably should be done in chunks, example 50 per day, and so on, and a few days before they expired. And secondly, other control panels that do this, they have a waiting time after each certificate request, regardless of error or success.

Example:

Request cert example.com...

Failed!

Wait 5 minutes....

Request cert example2.com

Success!

Wait 3 minutes

Request cert...

And so on.

Please open a bug for this, so the developers can take a look. The error you get is actually from Lets Encrypt that is blocking your servers, check where it says: Too many certificates already issued for exact set of domains

Fri, 04/14/2017 - 10:09 (Reply to #2)
eznethost.com

Thanks, I know what the error is. And why Letsencrypt is sending it. Not sure you understood my problem though.

I setup a virtual server for lets say domain1.com on a VPS. I request a Letsencrypt certificate for domain1.com and set the auto renew to 2 months. it requests, add's the certificate and all is fine for 2 months. Until the day the VPS then requests the renewal, it requests, gets the renewal and updates the renewal date, Great, but then a couple of minutes later, it requests again, and again, and again, and again. every couple of minutes, over and over again, and it never stops, every few minutes it sends a new request for a certificate even though it's got a new one that's good for the next 2 months. Hundreds if not thousands of times a day, and it's doing it for EVERY domain I setup with an autorenewal.

I have been unable to stop it once it starts, without removing the virtual server and setting it up from fresh with a manual renewal but then I have to remember to go in every couple of months and renew the certificate's.

Fri, 04/14/2017 - 16:41 (Reply to #3)
volk

Yes, I understand what you are saying. You should open a bug issue for that so the developers can check the problem, assuming it's a bug in the software.

Fri, 07/14/2017 - 00:12
rfking

I have exactly the same problem, is this fixed?

Fri, 07/14/2017 - 09:22
eznethost.com

Not that i know of. I just stopped setting them up with auto renew.

Wed, 08/02/2017 - 06:04
leon05

Any update on this ? I've 200 domains including 40 with SSL LetsEncrypt. And the auto renew is requesting every 5 minutes all certificats... even if there are still expiring in 2 months.

how to do fix this nice feature ?

Tue, 08/15/2017 - 04:39
monsieurQ

Same issue here. Does VM build 6 address this? The excessive renewal emails are crippling my server.

Sun, 08/27/2017 - 13:02
Joe
Joe's picture

It only requests multiple times if it fails. So...fix why it's failing to validate and it'll stop requesting certs again. (That said, I think Jamie did implement a back-off feature when it fails, but I'll check with him about it.)

--

Check out the forum guidelines!

Sun, 09/10/2017 - 00:25
sfbob

FWIW, I also started receiving hourly emails about certificate renewal failures. Did a lot of checking on the server, re-examined the contents of the emails, couldn't find challenge files on server.

After staring at the contents on one email, I glanced at the from address - it was coming from my development server. Hmm. Check the contents of acme-challenge directory on dev and sure enough, lots of challenge files there, and names matched those in the failure emails.

I doubt if anyone else would make such a simple mistake, but it shouldn't hurt to check.

BTW - dev server now has cert updates set to manual.

Mon, 07/01/2019 - 21:02
paulM

It would appear a problem still exists with the renewal algorithm. Let's Encrypt is now enforcing limits on renewing certs and the repeating renewal by Virtualmin is causing Let's Encrypt to block renewal on all of my domains. I had all of them set to a auto renewal period to 2 months. At the suggestion of Let's Encrypt support, I ran a summary of one of the domains and it shows the repeated certificates being issued within seconds of each other. I will now have to move these all to manual renewal mode and wait for the LEncrypt locks to expire. When I ran the crt.sh request it showed one domain getting 6 certificates within seconds on 2019-05-06 and then the limits kick in and subsequent renewals are blocked and the domains certificates expire.

Topic locked